CLAIMS 

We claim: 

1. An intrusion detection method, comprising the steps of: 

storing a plurality of signatures in a signature table of an intrusion detection system; and 
ranking at least two signatures of the plurality of signatures by likelihood of occurrence. 



2. The method of claim 1, wherein the plurality of signatures includes at least one null signature. 



3. The method of claim 1, wherein said at least two signatures includes at least one null 
signature. 
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4. An intrusion detection method, comprising the steps of: 

storing a plurality of signatures in a signature table of an intrusion detection system; 
detecting, by the intrusion detection system, a system event; and 

comparing the system event with the plurality of signatures; 

wherein the step of comparing is performed in a sequence according to a ranking of the 
plurality of signatures by likelihood of occurrence. 



5. The method of claim 4, wherein the ranking of the plurality of signatures by likelihood of 
occurrence is computed from occurrence data. 
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1 6. An intrusion detection method, comprising the steps of: 

2 storing a plurality of signatures in a signature table of an intrusion detection system, said 

3 plurality of signatures including at least one null signature; 

PJ ranking the plurality of signatures by likelihood of occurrence to provide a ranking order; 

y i 

detecting, by an intrusion detection system, a system event; and 

lj comparing the system event with the plurality of signatures; 

7 wherein the step of comparing is performed in a sequence according to the ranking order. 
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7. A method of managing a signature table for an intrusion detection system, comprising the 
steps of: 

detecting, by an intrusion detection system, a system event; 

determining whether a signature table of the intrusion detection system includes a 
signature with a signature event that matches the system event; and 

when the signature table does not include a signature with a signature event that matches 
the system event, storing, in the signature table, a null signature with a signature event that 
matches the system event. 

8. A method of managing a signature table for an intrusion detection system, comprising the 
steps of: 

detecting, by an intrusion detection system, a system event; 

determining whether a signature table of the intrusion detection system includes a 
signature event that matches the system event; and 



when the signature table includes a signature event that matches the system event, 
updating occurrence data associated with the signature event. 
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9. The method of claim 8, further including the step of ranking at least two signatures included 
in the signature table by likelihood of occurrence computed from the occurrence data. 



10. The method of claim 8, further including the step of: 

when the signature table does not include a signature event that matches the system event, 
storing a null signature in the signature table. 



11. The method of claim 10, wherein the null signature includes a signature event that matches 
the system event. 
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12. An intrusion detection method, comprising the steps of: 

detecting, by an intrusion detection system, a system event; 

determining whether a cache of the intrusion detection system includes a signature event 
that matches the system event; 

when the cache does not include the signature event, determining whether a signature 
table of the intrusion detection system includes the signature event; and 

when the signature table does not include the signature event, storing the signature event 
in the cache. 



13. The method of claim 12, wherein the signature event is stored in the cache as part of a null 
signature, and wherein the step of storing includes a step of storing the null signature in the 
cache. 
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14. An intrusion detection system, comprising: 

an event detector for detecting a system event; 
a signature table comprising signatures; and 

logic for searching the signature table responsive to detection of the system event by the 
event detector; 

wherein the signature table includes at least one null signature and at least one signature 
that is not a null signature. 

15. A signature table of an intrusion detection system, said signature table comprising a plurality 
of signatures, wherein at least one signature of the plurality of signatures includes occurrence 
data. 

16. A signature table of an intrusion detection system, said signature table comprising a plurality 
of signatures, wherein at least one signature of the plurality of signatures is a null signature. 
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1 17. The signature table of claim 16, wherein at least one signature of the plurality of signatures 

2 includes occurrence data. 

1 18. The signature table of claim 16, wherein at least one signature of the plurality of signatures is 

2 a null signature that includes occurrence data. 

fJL 19. An intrusion detection system, comprising: 

S an event detector for detecting a system event; 

IS a signature table comprising signatures; and 

Lis 

J? logic for searching the signature table responsive to detection of the system event by the 

5 event detector; 

6 wherein the logic searches the signature table in a sequence according to a ranking of the 

7 signatures by likelihood of occurrence. 

1 20. The intrusion detection system of claim 19, wherein likelihood of occurrence is observed 

2 frequency of occurrence computed from occurrence data. 
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